[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] Observed Data
Good question.... We need to have this discussion and figure out how things are going to look and feel before we finish STIX 2.0. Once we understand the rules for using Cyber Observables in other SDOs, we can be reasonably confident that things will not break.
Bret
From: Kirillov, Ivan A. <ikirillov@mitre.org>
Sent: Tuesday, October 25, 2016 1:53:46 PM To: Bret Jordan (CS); cti-stix@lists.oasis-open.org Subject: Re: [cti-stix] Observed Data For the capture of cyber observable properties, why not just embed an Observable Objects dictionary in each SDO as needed? That way you can capture whatever Cyber Observable Objects are
pertinent to the SDO (e.g., IPv4 addresses) without having to redefine their properties in multiple places, which is essentially what this approach is advocating. Regards, Ivan From:
<cti-stix@lists.oasis-open.org> on behalf of "Bret Jordan (CS)" <Bret_Jordan@symantec.com> All, I spoke with John Wunder about how and when to embed Cyber Observable (formerly CybOX) properties directly on a SDO and when you would use Observed Data via a relationship. We were talking about this in context
with the upcoming Infrastructure SDO.. The rules we came up with, that we would like your feedback on are listed below. It is important that we understand these rules now, so as to not cause a breaking change with Observed Data later on. So yes, we are
talking about an SDO that will not be in the next CSD release, but it is important to understand how it will work and this is the best way to illustrate the usages. Notes about using Observed Data with things like Infrastructure or Malware.
1.
The Infrastructure or Malware object will have Cyber Observable properties directly on them. These fields will allow you to capture the data that characterises these
objects.
2.
So say that an Infrastructure is known to exist in S.Korea and it is using Linux based Web Cameras as a delivery point for C-n-C. These IP addresses and the Make/Model
of the Web Cams would all be on the Infrastructure Object itself.
3.
You may need to revision the Infrastructure object multiple times as you find or discover more things. In this case, some fields on the Infrastructure object may need
to be an array to allow for say thousands of IP address.
4.
The way Observed Data fits in, is when you do a Sighting. When you want to say you saw an instance of these things.
An open question would be how to track things used as part of an infrastructure over time. Meaning, if a threat actor moved from IoT Camera X to IoT DoorBell Y 3 weeks later, how would you record this? Bret |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]